Sap Authorization Audit Readiness & Critical Access Monitoring!!!

To avoid Audit deficiencies, we need to have a detailed SOP (Standard Operating Process), religiously follow the process and document exceptions, if any.
The most important aspect is to monitor Critical authorization assignments on monthly(suggested) or quarterly to assess unwanted assignments and remediate even before noticed by Audit team.

I have outlined most of the Critical Authorization monitoring controls as follows

1. Security Audit Parameters

Below table provides generic Audit Parameters to be configured in Production systems, which are most important with regards to Audit controls. Below values specified are with respect to SAP best practices and may differ from individual organizations as well.

Password Parameters

Value

rdisp/gui_auto_logout

1800

auth/object_disabling_active

2. SAP Standard User Password and Active Status

Sap Standard users such as SAP*, DDIC, TMSADM, SAPCPIC etc should have their initial password changed and keep locked these users in clients such as 000,001,066 & Prod client and in some cases TMSADM and DDIC will be kept unlocked in master clients.

To validate Execute Tcode RSUSR003.

3. Critical Standard Profiles (SAP_ALL and SAP_NEW)

SAP standard critical authorization profiles SAP_ALL or SAP_NEW must not be assigned
to any users in any of the clients.
To check Go to SUIM–>Users by Complex Selection Criteria–>Roles/Profiles–>Profile Name SAP_ALL and SAP_NEW.

4. Standard SAP Roles Assignment

Any users in Production client must not be assigned with SAP standard roles i.e Roles starting with SAP* or /*. To check go to SUIM–>Users by Complex Selection Criteria–>Roles/Profile–> SAP* or /*.

5. Access to Create User Master

Access to create User master in Production should be restricted to Authorization team, since they need to create Service/System users. Dialog user creation should be via GRC system.
To Check SUIM >User by Complex Selection Criteria >S_USER_GRP ACTVT = 01

6. Access to Change User Master

This access is restricted to Authorization team and any other user should not be assigned with.

SUIM report >User by Complex Selection Criteria >S_USER_GRP ACTVT = 02 or 06

7. Access to Unlock Users or Reset Password

In ideal scenario, IT/Business user login to Production system via SSO (Single Sign On). There are exceptions for password login such as IT Admin Users (Security & Basis) and few Business users, who need to connect to third party tools (example RF Gun) via Production user credentials. All the exceptions should be documented in SOP.

SUIM report > User by Complex Selection Criteria > S_USER_GRP ACTVT = 05

8. Access to Debug with Change

Debug change access must be restricted from any Dialog users in Production and it should be part of an FF user only.
To check SUIM report > User by Complex Selection Criteria > S_DEVELOP ACTVT = 02
and OBJTYPE = DEBUG

9. Access to Import Transports

Only Basis/Release team should have access to import access in Production system.
SUIM>User by Complex Selection Criteria >S_CTS_ADM > Value= IMPA or IMPS
SUIM report > User by Complex Selection Criteria > S_TRANSPRT ACTVT = 60

10. Execute Access for All Programs

No Users in Production should be assigned with all Program execute access.

SUIM >User by Complex Selection Criteria >S_PROGRAM P_ACTION = SUBMIT & P_GROUP = #*

11. Authorization Objects Added Manually or Changed in Roles

All authorization objects in the roles should be in Standard or Maintained status. Any exceptions should be documented. As per SAP best practice no objects should be added manually and there will be adverse effect during upgrades, since tcodes will fail which are dependent on manually added objects, but not linked via SU24.

12. Custom Tcodes Without Authorization Object Linkage in SU24

Custom Tcode must be associated with authorizations objects maintained in SU24.
To check, extract all custom tcodes from SE16–>TSTC–>Z*
Next copy tcodes from TSTC into table USOBT_C to check tcodes with SU24 object mappings and if tcodes not available in the report, then such custom tcodes must be added with suitable auth object into SU24.

13. Administrator Access for All Batch Jobs

Batch admin access with Administrator i.e Y access should be restricted to Basis team.
SUIM report > User by Complex Selection Criteria > S_BTCH_ADM BTCADMIN = Y

14. Access to Delete Batch Jobs

SUIM report >User by Complex Selection Criteria >S_BTCH_JOB JOBACTION = DELE

15. Access to Delete Logs or Jobs in Batch Input Processing

SUIM report > User by Complex Selection Criteria > S_BDC_MONI BDCAKTI = REOG or DELE

16. Access to All Batch Input Processing Sessions

SUIM report > User by Complex Selection Criteria > S_BDC_MONI BDCGROUPID = #*

17. RFC Administration Access

This acccess should be restricted to either basis team or Batch Monitroing teams.

SUIM report > User by Complex Selection Criteria > S_TCODE = SM59 and S_ADMI_FCD = NADM

18. Execute Access for All RFCs

This access should not be assigned to any Dialog users in Production system. For Batch job users also assign only required RFC authorization based on trace results, rather assigning full access.

SUIM report > User by Complex Selection Criteria > S_RFC = #* (or S_RFC = “*”)

19. Change Access for All Tables

SUIM report >User by Complex Selection Criteria >S_TABU_DIS ACTVT = 02 and DICBERCLS = #*
SUIM report >User by Complex Selection Criteria >S_TABU_NAM ACTVT = 02 and TABLE = #*

20. Display Access for All Tables

You may be wondering why display access is critical, this is because a business user with display access on all tables can view Business critical information and leading to Business loss/audit deficiency.

SUIM report >User by Complex Selection Criteria >S_TABU_DIS ACTVT = 03 and DICBERCLS = #*

SUIM report >User by Complex Selection Criteria > S_TABU_NAM ACTVT = 03 and TABLE = #*

21. Access to Modify Client Settings

SUIM report User by Complex Selection Criteria >S_TABU_DIS ACTVT = 02 and DICBERCLS = SS
SUIM report >User by Complex Selection Criteria >S_TABU_NAM ACTVT = 02 and TABLE = T000

Note: Auth Group SS contains Security relevant tables and hence should be assigned to IT team only.

22. Access to Tables Not mapped to Authorization Groups

Tables i.e Both Standard and Custom, that are not mapped to specific authorization groups, will be automatically assigned to &NC& group. We need to make sure no users should have change access to group &NC& in Production.

23. Access to Maintain Cross-Clients Tables

SUIM report > User by Complex Selection Criteria > S_TABU_CLI CLIIDMAINT = X

Conclusion:

Frequent monitoring of above critical access assignments will help to be prepared for Audit at any day and IT HPA (High Privilege Access) review as well, to make sure only relevant IT users assigned with privileged access.

Regards

Shivkumar

As an SAP Authorization consultant, year on year we go through Internal/External Audit trials and provide evidence/clarifications for the samples requested.We need to justify if there a slippage in Process/Access assignments and leading to Audit Deficiencies failed to provide evidence.Auditors will not leave any chance to find a small process gap like an eagle catching a fish which is just above the river ?To avoid Audit deficiencies, we need to have a detailed SOP (Standard Operating Process), religiously follow the process and document exceptions, if any.The most important aspect is to monitor Critical authorization assignments on monthly(suggested) or quarterly to assess unwanted assignments and remediate even before noticed by Audit team.I have outlined most of the Critical Authorization monitoring controls as follows1. Security Audit ParametersBelow table provides generic Audit Parameters to be configured in Production systems, which are most important with regards to Audit controls. Below values specified are with respect to SAP best practices and may differ from individual organizations as well. Password Parameters Valuelogin/min_password_lng12login/min_password_digits1login/min_password_lowercase1login/min_password_uppercase1login/min_password_specials1login/password_history_size4Login and Session login/failed_user_auto_unlock1login/fails_to_session_end3login/fails_to_user_lock6login/no_automatic_user_sapstar1rdisp/gui_auto_logout1800auth/object_disabling_activeN2. SAP Standard User Password and Active StatusSap Standard users such as SAP*, DDIC, TMSADM, SAPCPIC etc should have their initial password changed and keep locked these users in clients such as 000,001,066 & Prod client and in some cases TMSADM and DDIC will be kept unlocked in master clients.To validate Execute Tcode RSUSR003.3. Critical Standard Profiles (SAP_ALL and SAP_NEW)SAP standard critical authorization profiles SAP_ALL or SAP_NEW must not be assignedto any users in any of the clients.To check Go to SUIM–>Users by Complex Selection Criteria–>Roles/Profiles–>Profile Name SAP_ALL and SAP_NEW.4. Standard SAP Roles AssignmentAny users in Production client must not be assigned with SAP standard roles i.e Roles starting with SAP* or /*. To check go to SUIM–>Users by Complex Selection Criteria–>Roles/Profile–> SAP* or /*. 5. Access to Create User MasterAccess to create User master in Production should be restricted to Authorization team, since they need to create Service/System users. Dialog user creation should be via GRC system.To Check SUIM >User by Complex Selection Criteria >S_USER_GRP ACTVT = 01 6. Access to Change User MasterThis access is restricted to Authorization team and any other user should not be assigned with.SUIM report >User by Complex Selection Criteria >S_USER_GRP ACTVT = 02 or 067. Access to Unlock Users or Reset PasswordIn ideal scenario, IT/Business user login to Production system via SSO (Single Sign On). There are exceptions for password login such as IT Admin Users (Security & Basis) and few Business users, who need to connect to third party tools (example RF Gun) via Production user credentials. All the exceptions should be documented in SOP.SUIM report > User by Complex Selection Criteria > S_USER_GRP ACTVT = 058. Access to Debug with ChangeDebug change access must be restricted from any Dialog users in Production and it should be part of an FF user only.To check SUIM report > User by Complex Selection Criteria > S_DEVELOP ACTVT = 02and OBJTYPE = DEBUG9. Access to Import TransportsOnly Basis/Release team should have access to import access in Production system.SUIM>User by Complex Selection Criteria >S_CTS_ADM > Value= IMPA or IMPSSUIM report > User by Complex Selection Criteria > S_TRANSPRT ACTVT = 60 10. Execute Access for All ProgramsNo Users in Production should be assigned with all Program execute access.SUIM >User by Complex Selection Criteria >S_PROGRAM P_ACTION = SUBMIT & P_GROUP = #*11. Authorization Objects Added Manually or Changed in RolesAll authorization objects in the roles should be in Standard or Maintained status. Any exceptions should be documented. As per SAP best practice no objects should be added manually and there will be adverse effect during upgrades, since tcodes will fail which are dependent on manually added objects, but not linked via SU24. 12. Custom Tcodes Without Authorization Object Linkage in SU24Custom Tcode must be associated with authorizations objects maintained in SU24.To check, extract all custom tcodes from SE16–>TSTC–>Z*Next copy tcodes from TSTC into table USOBT_C to check tcodes with SU24 object mappings and if tcodes not available in the report, then such custom tcodes must be added with suitable auth object into SU24.13. Administrator Access for All Batch JobsBatch admin access with Administrator i.e Y access should be restricted to Basis team.SUIM report > User by Complex Selection Criteria > S_BTCH_ADM BTCADMIN = Y14. Access to Delete Batch JobsSUIM report >User by Complex Selection Criteria >S_BTCH_JOB JOBACTION = DELE15. Access to Delete Logs or Jobs in Batch Input ProcessingSUIM report > User by Complex Selection Criteria > S_BDC_MONI BDCAKTI = REOG or DELE16. Access to All Batch Input Processing SessionsSUIM report > User by Complex Selection Criteria > S_BDC_MONI BDCGROUPID = #*17. RFC Administration AccessThis acccess should be restricted to either basis team or Batch Monitroing teams.SUIM report > User by Complex Selection Criteria > S_TCODE = SM59 and S_ADMI_FCD = NADM18. Execute Access for All RFCsThis access should not be assigned to any Dialog users in Production system. For Batch job users also assign only required RFC authorization based on trace results, rather assigning full access.SUIM report > User by Complex Selection Criteria > S_RFC = #* (or S_RFC = “*”)19. Change Access for All TablesSUIM report >User by Complex Selection Criteria >S_TABU_DIS ACTVT = 02 and DICBERCLS = #*SUIM report >User by Complex Selection Criteria >S_TABU_NAM ACTVT = 02 and TABLE = #*20. Display Access for All TablesYou may be wondering why display access is critical, this is because a business user with display access on all tables can view Business critical information and leading to Business loss/audit deficiency.SUIM report >User by Complex Selection Criteria >S_TABU_DIS ACTVT = 03 and DICBERCLS = #*SUIM report >User by Complex Selection Criteria > S_TABU_NAM ACTVT = 03 and TABLE = #* 21. Access to Modify Client SettingsSUIM report User by Complex Selection Criteria >S_TABU_DIS ACTVT = 02 and DICBERCLS = SSSUIM report >User by Complex Selection Criteria >S_TABU_NAM ACTVT = 02 and TABLE = T000Note: Auth Group SS contains Security relevant tables and hence should be assigned to IT team only. 22. Access to Tables Not mapped to Authorization GroupsTables i.e Both Standard and Custom, that are not mapped to specific authorization groups, will be automatically assigned to &NC& group. We need to make sure no users should have change access to group &NC& in Production.23. Access to Maintain Cross-Clients TablesSUIM report > User by Complex Selection Criteria > S_TABU_CLI CLIIDMAINT = X Conclusion:Frequent monitoring of above critical access assignments will help to be prepared for Audit at any day and IT HPA (High Privilege Access) review as well, to make sure only relevant IT users assigned with privileged access. RegardsShivkumar Read More Technology Blogs by Members articles

#SAP

#SAPTechnologyblog